about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/md.emile.space.nix
blob: fc5df264dbd52120e49a6e90d9f0eb15918ec76b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
{ config, pkgs, ... }:

{
  services.nginx.virtualHosts."md.emile.space" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
      };
    };
  };

  # auth via authelia
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
    {
      id = "HedgeDoc";

      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
      secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ";
      public = false;
      authorization_policy = "two_factor";
      redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ];
      scopes = [
        "openid"
        "email"
        "profile"
      ];
      grant_types = [
        "refresh_token"
        "authorization_code"
      ];
      response_types = [ "code" ];
      response_modes = [
        "form_post"
        "query"
        "fragment"
      ];
      token_endpoint_auth_method = "client_secret_post";
    }
  ];

  services.hedgedoc = {
    enable = true;
    package = pkgs.hedgedoc;

    environmentFile = config.age.secrets.hedgedoc_environment_variables.path;

    settings = {
      host = "127.0.0.1";
      port = config.emile.ports.md;

      domain = "md.emile.space";

      urlPath = null; # we're hosting on the root of the subdomain and not a subpath
      allowGravatar = true;

      # we're terminating tls at the reverse proxy
      useSSL = false;

      # Use https:// for all links.
      # This is useful if you are trying to run hedgedoc behind a reverse proxy.
      # Only applied if domain is set.
      protocolUseSSL = true;

      # don't allow unauthenticated people to just write somewhere
      allowAnonymous = false;
      allowAnonymousEdits = true; # This allows us to set pads "freely"

      defaultPermission = "private";

      db = {
        dialect = "sqlite";
        storage = "/var/lib/hedgedoc/db.sqlite";
      };

      uploadsPath = "/var/lib/hedgedoc/uploads";

      path = null; # we want to use HTTP and not UNIX domain sockets...

      allowOrigin = with config.services.hedgedoc.settings; [
        host
        domain
      ];
    };
  };

  # backups
  services.restic.backups."hedgedoc" = {
    user = "u331921";
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
    };
    # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
    repository = "/mnt/storagebox-bx11/backup/hedgedoc";
    initialize = true; # initializes the repo, don't set if you want manual control
    passwordFile = config.age.secrets.restic_password.path;
    paths = [ "/var/lib/hedgedoc/" ];
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 75"
    ];

    # extraOpts = [
    #   "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
    # ];
  };

}